Analysis
-
max time kernel
118s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 05:57
Static task
static1
Behavioral task
behavioral1
Sample
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe
Resource
win10v2004-en-20220113
General
-
Target
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe
-
Size
60KB
-
MD5
1b8db6ae8b946c9dadfe2f64f0f4a853
-
SHA1
edb4ed1467e7ff5eb7b1872f6acd136a14a7e8f3
-
SHA256
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc
-
SHA512
2e06a516ff6e800b4e085b72887136bce650e054bdc34f3bec3e5b9a3a5cf832f11e285ede6c97aea17443a84f12eb0e663bba756fd403832faff4f41af30796
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 380 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1224 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exepid process 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exedescription pid process Token: SeIncBasePriorityPrivilege 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.execmd.exedescription pid process target process PID 756 wrote to memory of 380 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe MediaCenter.exe PID 756 wrote to memory of 380 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe MediaCenter.exe PID 756 wrote to memory of 380 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe MediaCenter.exe PID 756 wrote to memory of 380 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe MediaCenter.exe PID 756 wrote to memory of 1224 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe cmd.exe PID 756 wrote to memory of 1224 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe cmd.exe PID 756 wrote to memory of 1224 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe cmd.exe PID 756 wrote to memory of 1224 756 11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe cmd.exe PID 1224 wrote to memory of 964 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 964 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 964 1224 cmd.exe PING.EXE PID 1224 wrote to memory of 964 1224 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe"C:\Users\Admin\AppData\Local\Temp\11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\11406986f84b94e2517d64dc9204891d61ec20f3d76aaed399b050a1380568bc.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1a54dea9f055188f260b9213cadb7a77
SHA12cd0b9ba964a1ced36a9285b1d9171cccbcb2192
SHA256e0d4c8d88d6828b5a12fd88e9b867041661585da4066b70af8fde98cd82f92ef
SHA5121b7e8b75a67230f88af066dbe7e40f3bd67f00e7913da4a5f59a66053e3959d3ee68920ff48c29ac91f1c51c4be298475341d6b250c29d93d28a63e59e11a560
-
MD5
1a54dea9f055188f260b9213cadb7a77
SHA12cd0b9ba964a1ced36a9285b1d9171cccbcb2192
SHA256e0d4c8d88d6828b5a12fd88e9b867041661585da4066b70af8fde98cd82f92ef
SHA5121b7e8b75a67230f88af066dbe7e40f3bd67f00e7913da4a5f59a66053e3959d3ee68920ff48c29ac91f1c51c4be298475341d6b250c29d93d28a63e59e11a560
-
MD5
1a54dea9f055188f260b9213cadb7a77
SHA12cd0b9ba964a1ced36a9285b1d9171cccbcb2192
SHA256e0d4c8d88d6828b5a12fd88e9b867041661585da4066b70af8fde98cd82f92ef
SHA5121b7e8b75a67230f88af066dbe7e40f3bd67f00e7913da4a5f59a66053e3959d3ee68920ff48c29ac91f1c51c4be298475341d6b250c29d93d28a63e59e11a560